Unauthorized Access to Patient Medical Records: What Happened
HCMC recently discovered that the medical records of George Floyd were illegally accessed by employees of the organization. HCMC first discovered the breach during its routine review of its access logs. Upon discovery of the HIPAA violation, the 13 employees that accessed the records illegally were fired. This included three nurses, a lab technician, a social worker, and a paramedic.
Unauthorized Access to Patient Medical Records: Why This is a HIPAA Violation
HIPAA requires organizations, and their employees, to only access PHI for treatment, payment, or healthcare operations. In addition, access to PHI must be in accordance with the minimum necessary standard. The minimum necessary standard states that employees should only have access to the protected health information (PHI) they require to perform their job. It also mandates that PHI access is limited to when access is necessary to perform a specific job function.
Since the employees in question accessed George Floyd’s medical records for purposes other than to perform their job, their access is considered unauthorized access to patient medical records.
How to Prevent Unauthorized Access to Patient Medical Records
There are certain measures that can be taken to prevent unauthorized access to patient medical records. It is unclear whether or not HCMC implemented these measures (beyond tracking access to PHI through audit logs), however, it is recommended that all healthcare organizations do to prevent similar incidents from occurring within their organizations.
Designate different levels of access to PHI based on their job roles. This prevents employees from accessing records that they shouldn’t be accessing. Although HCMC went as far as to admit George Floyd under a pseudonym, they likely didn’t limit access to his PHI to only the employees that needed access. Proper access controls would have prevented employees that were not treating George Floyd from accessing his records.
Audit logs track access to PHI so that unauthorized access to PHI can be quickly detected. The implementation of audit logs is what allowed HCMC to determine that George Floyd’s records were accessed without authorization.
To ensure that employees only access PHI to perform their job functions, employees must be trained on the proper uses and disclosures of PHI. It is unclear whether or not HCMC trained their employees on such, but if they did, employees ignored this training.